spring-security
spring-security copied to clipboard
spring-projects
Spring Security
To improve handling of `CsrfToken` instances generated by a `CsrfTokenRepository`, consider adding a generic type similar to [`SessionRepository`](https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/SessionRepository.java) in [spring-session](https://github.com/spring-projects/spring-session). For example: ```java public interface CsrfTokenRepository { T generateToken(HttpServletRequest request);...
The documentation [currently uses `AnnotationMethodMatcher`](https://github.com/spring-projects/spring-security/issues/11024#issuecomment-1088408171), but this is incorrect. The code requires a `Pointcut`.
With the introduction of [`AuthorizationManager`](https://github.com/spring-projects/spring-security/issues/8900), there are a number of next steps that seem valuable. - [x] Consider AuthorizationManager for Method Security - #9289 - [x] #11076 - [x] Consider...
Now that applications can use a `SecurityContextHolderStrategy` bean, there's value in assisting applications with what may be a sizeable transition away from using `SecurityContextHolder`. There are some cases where an...
See https://github.com/spring-projects/spring-security/issues/1890#issuecomment-1252678357
It'd be handy to be able to construct an instance of `HttpSecurity` independently from an `WebSecurityConfigurerAdapter`. In theory, this is possible since `HttpSecurity` has a `public` constructor, but that's currently...
**Expected Behavior** There should be a subsection in https://docs.spring.io/spring-security/reference/ describing `org.springframework.security.authentication.CachingUserDetailsService` . **Current Behavior** In fact there is no such text passage to mention this class.  **Context** This class...
[Yale Madden](https://jira.spring.io/secure/[email protected]) (Migrated from [SEC-1877](https://jira.spring.io/browse/SEC-1877?redirect=false)) said: The rolePrefix member of LdapUserDetailsManager defaults to "ROLE_." This forces me to use this default rolePrefix throughout my application. Otherwise, convertAuthorityToGroup does not remove...
**Describe the bug** `JwtAuthenticationProvider` delegates the instantiation of an `Authentication` to a `Converter` but it then alters returned value `details` property. For framework user providing a `Converter` bean which sets...
